search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
754 stars 191 forks source link

[Feature Request] Client Secret option for UsernamePasswordCredential #695

Closed cjusko closed 1 month ago

cjusko commented 1 month ago

MSAL client type

Confidential

Problem Statement

I'm trying to authenticate via the UsernamePasswordCredential class, in order to then use it to access the msgraph-sdk-python however, when trying to get the token, I receive the following error:

{"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: 2113cd76-ec33-42eb-92f4-cb24256b4200 Correlation ID: 5ab9546b-4eb7-45bf-a245-4c3460cbfc8e Timestamp: 2024-04-26 18:48:34Z","error_codes":[7000218],"timestamp":"2024-04-26 18:48:34Z","trace_id":"2113cd76-ec33-42eb-92f4-cb24256b4200","correlation_id":"5ab9546b-4eb7-45bf-a245-4c3460cbfc8e","error_uri":"https://login.microsoftonline.us/error?code=7000218"}

Here's my code:

from azure.identity import UsernamePasswordCredential

# auth = dict of creds

up_cred = UsernamePasswordCredential(
    client_id=auth['clientId'],
    username=auth['username'],
    password=auth['password'],
    authority=auth['authority'],
    tenant_id=auth['tenant']
)

scopes = ['https://graph.microsoft.us/.default']
print(up_cred._request_token(scopes=scopes))

To Reproduce Steps to reproduce the behavior:

  1. try to create a UsernamePasswordCredential on private application that requires a Client Secret

Expected behavior There would ideally be an option to provide the client secret. If there is already, then how am I able to do that?

Tried using ClientSecretCredential instead, but the claims response is always empty, resulting in an error. I assume that's because a login is required to authenticate properly, perhaps an incorrect assumption (see https://github.com/microsoftgraph/msgraph-sdk-python/issues/672 )

Advised to open issue here from my previous issue in https://github.com/Azure/azure-sdk-for-python/issues/35386

Proposed solution

No response

rayluo commented 1 month ago

That error message means the token request did not provide the client's credential.

MSAL Python's acquire_token_by_username_password() has already been implemented for ConfidentialClientApplication, too.

Azure Identity's UsernamePasswordCredential shall indeed add a new client_credential parameter and wire it up to MSAL Python. This shall be a new feature request for Azure SDK.

Meanwhile, @cjusko you may consider directly using MSAL Python to support your such a scenario. This MSAL sample can work with or without client secret.